Authorization Data Providers Test Plan

Service/Component Description

The component is an internal library used by UNICORE service hosting environment (USE). It provides several implementations which provides client's attributes. Those attributes are subsequently used (by other components) to perform authorization and to map an abstract grid request to the target system specifics. The following attribute sources are supported:

• SAML pull - SAML attribute service using SOAP binding can be queried for the user's attributes.
• SAML push - SAML attribute assertion attached to request's header is checked for validity and if so attributes are extracted.
• XUUDB - XUUDB service can be queried for the user's attributes.
• File - user's attributes can be retrieved from an local XML file.

The component is closely bound to the UNICORE Service Environment (i.e. hosting container). The only deployment scenario is therefore as a library used by the UNICORE container. For deployment scenarios of the container please refer to its SVVP.

The version corresponding to this test plan is: 2.0.0

Functionality tests

The current list is complete only for the initial release in EMI-1. More functional tests must be added in future.

File attribute source (implemented: aip_file)

Test if it is possible to use user DN to incarnation attribute mapping defined in file. The mapping should be returned as the standard UNICORE incarnation attributes.

Normal workflow - correct input User with entry present in map file should get a role incarnation attribute as defined in the file - only then the workflow is passed.

Error workflow - erroneous input User without entry in map file should not get any attributes - only then the workflow is passed.

XUUDB attribute source (NOT implemented)

Test if it is possible to use user DN or Certificate -> (xlogin, group, role) mapping from XUUDB. The mapping should be returned as the standard UNICORE incarnation attributes.

Normal workflow - correct input User with entry present in XUUDB should get a proper incarnation attributes (role, xlogin and primary group) - only then the workflow is passed.

Error workflow - erroneous input User without entry in XUUDB should not get any attributes - only then the workflow is passed.

Integration tests

SAML pull attribute source (implemented: aip_saml_pull)

Test authorization and incarnation of user attributes in USE with each of the SAML pull attribute provider.

Normal workflow - correct input User with an identity valid for the provider should be able to invoke a web service operation, the incarnated settings of the client must match attributes defined in the provider - only then the workflow is passed.

Error workflow - erroneous input User with an identity invalid for the provider should not be able to invoke a web service operation - only then the workflow is passed.

Performance tests

1. For File provider assess number of requests per second served using a database with 100 user entries, each with 3 attributes defined. The test should be run twice: using exact and regexp matching. The test should perform requests using all 100 users many times with a random ordering. TBD: Define PASS criteria (NOT implemented)
2. For XUUDB provider test number of requests per second served using a database with 500 user entries, each with full record (xlogin, project). The test should be run twice: using XUUDB server configured in DN mode and in certificate mode. The test should perform requests using at least 100 users many times with a random ordering. TBD: Define PASS criteria (NOT implemented)

SAML providers performance shall be tested in underlying libraries which perform a real work (this module only provides a trivial wrapper to tie them to the USE API).

Scalability tests

1. For each of the providers: invoke it by 50 threads, each performing 200 iterations. The database of the attribute source should be filled with 100 users. Results of each iteration must be verified for correctness. Test is passed if all iterations succeeded. (NOT implemented)

Standard Compliance/Conformance tests

Not applicable. The only one standard which is used by this module - SAML - is implemented in the underlying libraries. See UNICORE Security libraries SVVP for further details.

Regression tests and unit tests

Unit tests coverage must be included in the test report. All bugs reported should have an automated regression test attached if it is possible. Otherwise manual bug checking procedure should be added to this section. Note that this applies to bugs reported from the 1.11.2010.

Regression tests to be performed manually:

• N/A

Deployment tests

Not applicable, as the library can not be deployed independently from UNICORE services environment. The deployment test of UNICORE server should check if configuration files for all attribute sources are found when all providers are turned on.

[TO BE DONE Provide a configuration for this test here or in UNICORE/X]